WHAT IS CLAIMED IS: 

1 . A system comprising: 

a terminal capable of communicating at least one of within and across at least one 
network, wherein the terminal is included within an organization including a plurality of 
5 terminals, at least one terminal having at least one characteristic and being at at least one 
of a plurality of positions within the organization; 

a secondary certification authority (CA) capable of providing at least one role 
certificate to the terminal based upon the at least one position of the terminal within the 
organization, wherein the organization includes a plurality of secondary CA's capable of 
10 issuing at least one role certificate to respective groups of terminals of the organization; 

a tertiary CA capable of providing at least one permission certificate to the 
terminal based upon the at least one characteristic of the terminal that is located at a 
position within the organization, wherein the organization includes a plurality of tertiary 
CA's capable of issuing at least one permission certificate to respective sub-groups of 
1 5 terminals of the organization; and 

a server capable of authenticating the terminal based upon an identity certificate, 
the at least one role certificate and the at least one permission certificate of the terminal to 
thereby determine whether to grant the terminal access to at least one resource of the 
server. 

20 

i 

2. A system according to Claim 1, wherein the terminal comprises a terminal 
included within an organization comprising a customer base of a cellular service provider 
that includes a plurality of terminals, each terminal being at one of a plurality of positions 
comprising a plurality of service plans offered by the cellular network operator, and 

25 wherein at least one terminal has at least one characteristic comprising at least one 
optional service offered by the cellular network operator. 

3. A system according to Claim 1, wherein the terminal comprises a terminal 
included within an organization comprising a customer base of a cellular service provider 

30 that includes a plurality of terminals, each terminal being at at least one of a plurality of 
positions comprising a plurality of services offered by the cellular network operator, and 
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wherein at least one terminal has at least one characteristic comprising at least one 
optional service offered by the cellular network operator. 

4. A system according to Claim 1, wherein the tertiary CA is capable of 

5 providing at least one permission certificate each having an associated validity time no 
greater than a validity time of the at least one role certificate provided by the secondary 
CA, and no greater than a validity time of the identity certificate. 

5. A system according to Claim 4, wherein the server is capable of 

10 authenticating the terminal based upon the validity times of the identity certificate, at 

least one role certificate and at least one permission certificate of the respective terminal 

6. A system according to Claim 1, wherein the terminal is capable of 
requesting access to at least one resource of a server before the server authenticates the 

15 terminal, and wherein the server is capable of granting access to the at least one resource 
if the terminal is authenticated. 



7. A method of authenticating a terminal comprising: 
providing a terminal capable of communicating at least one of within and across 
20 at least one network, wherein the terminal is included within an organization including a 
plurality of terminals, at least one terminal having at least one characteristic and being at 
at least one of a plurality of positions within the organization; 

providing at least one role certificate to the terminal from a secondary 
certification authority (CA) based upon the at least one position of the terminal within the 
25 organization, wherein the organization includes a plurality of secondary CA's capable of 
issuing at least one role certificate to respective groups of terminals of the organization; 

providing at least one permission certificate to the terminal from a tertiary CA 
based upon the at least one characteristic of the terminal located at a position within the 
organization, wherein the organization includes a plurality of tertiary CA's capable of 
30 issuing at least one permission certificate to respective sub-groups of terminals of the 
organization; and 
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authenticating the terminal at a server based upon an identity certificate, the at 
least one role certificate and the at least one permission certificate of the terminal to 
thereby determine whether to grant the terminal access to at least one resource of the 
server. 

5 

8. A method according to Claim 7, wherein providing a terminal comprises 
providing a terminal included within an organization comprising a customer base of a 
cellular service provider that includes a plurality of terminals, each terminal being at one 
of a plurality of positions comprising a plurality of service plans offered by the cellular 

10 network operator, and wherein at least one terminal has at least one characteristic 
comprising at least one optional service offered by the cellular network operator. 

9. A method according to Claim 7, wherein providing a terminal comprises 
providing a terminal included within an organization comprising a customer base of a 

15 cellular service provider that includes a plurality of terminals, each terminal being at at 
least one of a plurality of positions comprising a plurality of services offered by the 
cellular network operator, and wherein at least one terminal has at least one characteristic 
comprising at least one optional service offered by the cellular network operator. 

20 10. A method according to Claim 7, wherein providing at least one permission 

certificate comprises providing at least one permission certificate each having an 
associated validity time no greater than a validity time of the at least one role certificate, 
and no greater than a validity time of the identity certificate. 

25 1 1 . A method according to Claim 10, wherein authenticating the terminal 

comprises authenticating the terminal based upon the validity times of the identity 
certificate, at least one role certificate and at least one permission certificate of the 
respective terminal. 

30 12. A method according to Claim 7 further comprising: 
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requesting, from the terminal, access to at least one resource of a server before 
authenticating the terminal; and 

granting access to the at least one resource if the terminal is authenticated. 



5 13. A terminal included within an organization including a plurality of 

terminals, each terminal having at least one characteristic and being at at least one of a 
plurality of positions within the organization, the terminal comprising: 

a controller capable of communicating at least one of within and across at least 
one network, wherein the controller is capable of obtaining at least one role certificate 

10 from a secondary certification authority (CA) based upon the at least one position of the 
terminal within the organization and at least one permission certificate from a tertiary CA 
based upon the at least one characteristic of the terminal that is located at a position 
within the organization, wherein the organization includes a plurality of secondary CA's 
capable of issuing at least one role certificate to respective groups of terminals of the 

1 5 organization, and wherein the organization includes a plurality of tertiary CA's capable 
of issuing at least one permission certificate to respective sub-groups of terminals of the 
organization; and 

a memory capable of storing an identity certificate, at least one role certificate and 
at least one permission certificate, 
20 wherein the controller is also capable of communicating with a server such that 

the server is capable of authenticating the terminal based upon the identity certificate, the 
at least one role certificate and the at least one permission certificate of the terminal to 
thereby determine whether to grant the terminal access to at least one resource of the 
server. 

25 

14. A terminal according to Claim 13, wherein the controller is capable of 
obtaining at least one role certificate from a secondary CA capable of issuing at least one 
role certificate to each terminal of the organization comprising a customer base of a 
cellular service provider that includes a plurality of terminals, each terminal being at one 
30 of a plurality of positions comprising a plurality of service plans offered by the cellular 
network operator, and wherein the controller is capable of obtaining at least one 
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permission certificate based upon at least one characteristic comprising at least one 
optional service offered by the cellular network operator. 

15. A terminal according to Claim 13, wherein the controller is capable of 

5 obtaining at least one role certificate from a secondary CA capable of issuing at least one 
role certificate to each terminal of the organization comprising a customer base of a 
cellular service provider that includes a plurality of terminals, each terminal being at at 
least one of a plurality of positions comprising a plurality of services offered by the 
cellular network operator, and wherein the controller is capable of obtaining at least one 
10 permission certificate based upon at least one characteristic comprising at least one 
optional service offered by the cellular network operator. 

16. A terminal according to Claim 13, wherein the controller is capable of 
obtaining at least one permission certificate each having an associated validity time no 

1 5 greater than a validity time of the at least one role certificate obtained by the controller, 
and no greater than a validity time of the identity certificate. 

17. A terminal according to Claim 16, wherein the controller is also capable of 
communicating with a server such that the server is capable of authenticating the terminal 

20 based upon the validity times of the identity certificate, at least one role certificate and at 
least one permission certificate of the respective terminal. 

18. A terminal according to Claim 13, wherein the controller is capable of 
requesting access to at least one resource of a server before the server authenticates the 

25 terminal such that the server is capable of granting access to the at least one resource if 
the terminal is authenticated. 
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